Just as it appeared the problems of HealthCare.gov had passed, the White House announced on Sept. 4 that the national health-care portal had been hacked. No private information was taken, they said, but the hackers had managed to break in on July 8 and remain undetected until Aug. 25.
The hackers had installed malicious software that could have been used to attack other websites. The Department of Health and Human Services (HHS) reported that the point of entry was not protected by a firewall or intrusion detection software. The breach was only discovered once a manual scan was performed more than a month later.
The U.S. Department of Homeland Security reported the breach had been limited to just one server and reported no evidence that any attacks had been launched from the compromised machine. HHS Inspector General Daniel Levinson is reportedly now meeting with law enforcement agencies for continued investigation.
This breach is a reflection of the health-care industry in general, said John Pescatore, director of emerging security trends at the SANS Institute. All reports point to the attack not being targeted toward HealthCare.gov specifically, but that it was an automated scan that detected a vulnerable test server. The affected test server had insufficient security controls and there was no reason for it to be connected to the Internet, Pescatore said.
“In general, there’s been this rush to move to electronic health records. Health-care companies have been trying to reduce costs by going to online patient scheduling." Pescatore said. "In general, the security of health-care sites is not great. These portals were rushed out there and they’re certainly not looking much better than the rest of the health-care industry.”
The 2013 Breach List published by the Identity Theft Resource Center revealed that the health-care sector accounted for 43 percent of all reported data breaches, far more than any other sector.
One solution to this problem is to enforce the standards that are already in place, Pescatore said. Today, the HHS Office for Civil Rights is responsible for enforcing Health Insurance Portability and Accountability Act (HIPAA) standards, though government doesn’t appear to face much scrutiny.
“They have actually started fining companies in private industry that did have breaches and it did turn out they were not meeting the HIPAA requirements,” he said. “That’s been good, but on government sites I don’t think that’s happened yet.”
Pescatore said these kinds of breaches should be taken more seriously and investigated the same way an event like a plane crash is investigated, because the same fundamental mistakes are continually made.
When the Chernobyl Nuclear Power Plant exploded in 1986, there was still limited knowledge of how radiation affects the human body. Officials sent scientists and workers into the plant without safety equipment, and those workers died days later. They learned from the mistake and made changes for the next expedition.
“Imagine if there was a nuclear power plant explosion every week and they kept doing that,” Pescatore said. “Ninety percent of these websites that have a breach, it’s something stupid that was done over and over again.”
Editor's Note: This story was updated to include information obtained from an interview.